﻿@{

  //if access to this data (PII) is not open to public and securing access is justified at all, then the most effective security possible is also justified. 
  //of course must be on SSL initially to get CAC info supplied.
  //but more importantly, once an auth cookie has been passed to the client under SSL, it will be continually submited by client also on non SSL pages.
  //that means SSL for ALL pages, not just the login page. 
  //otherwise they can then be sniffed and access could then be impersonated.
  //many references for this: http://www.codinghorror.com/blog/2010/11/breaking-the-webs-cookie-jar.html
  //this web server environment seems to be particularly slow with SSL, hopefully we'll find ways to mitigate that.
  if (!Request.IsSecureConnection && Request.Url.Host != "localhost")
  {
    if (Request["retryssl"] == null && Request.Url != null)
    {
      Response.Redirect(Request.Url.ToString().Replace("http:", "https:") + "?retryssl=1");
    }
    else
    {
      Response.Write("This page must be run in SSL/HTTPS mode.");
      Response.End();
    }
    return;
  }

  //if we haven't pulled their access status yet...
  if (Session["IsAllowed"] == null)
  {
    if (Request.Url.Host == "localhost")
    {
      Session["IsAllowed"] = true;
      Session["IsAdmin"] = true;
    }
    else
    {
      using (var accessCheck = new Proc("AccessCheck"))
      {
        accessCheck["@CACInfo"] = Request.ClientCertificate.Subject;
        accessCheck.ExecuteNonQuery();
        Session["IsAllowed"] = (accessCheck["@IsAllowed"] == DBNull.Value ? (bool?) null : (bool) accessCheck["@IsAllowed"]);
        Session["IsAdmin"] = (accessCheck["@IsAdmin"] == DBNull.Value ? (bool?) null : (bool) accessCheck["@IsAdmin"]);
      }
    }
  }
}

